After nearly six months since the initial draft was issued for public comments on September 28, 2023 (see here for our previous alert on that development), on March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the final version of the Provisions on Promoting and Standardizing Cross-Border Data Flows (促进和规范数据跨境流动规定) ( “Provisions”) (Chinese version available here). The Provisions take effect immediately.
The newly finalized Provisions introduce significant changes to China’s existing cross-border data transfer regime. These changes primarily involve exemptions from the previously mandated transfer mechanisms outlined in the Personal Information Protection Law (“PIPL”) and its implementing regulations. Such mechanisms included undergoing a government-led security assessment, entering into a standardized contract, or obtaining personal information protection certification. As a result, many companies that previously faced these requirements may now be exempt, easing their compliance burden for cross-border data transfers. Importantly, the Provisions take precedence over any conflicting provisions within PIPL’s implementing regulations, including the Measures on the Standard Contract for Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer.Continue Reading China Eases Restrictions on Cross-Border Data Flows